LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 03-13-2003, 01:31 AM   #1
Smerk
Member
 
Registered: Oct 2002
Location: Cairnsian, Oz
Distribution: Debian testing/unstable, knoppix/debian fudged router!
Posts: 169

Rep: Reputation: 30
iptables-save doen't!


Firewall gurus!

for some reason my iptables-save doesn't seem to save!

I have a script that I have been editing to change iptable rules which works well.

I make changes then run the script & then iptables-save, which then lists the rules etc. When I reboot my router however, all the changes I have made are lost and I have to run the script again.

is this normal?

when I first started using the script it seemed to save ok...
I would also be interested to see what people think of the firewall and how secure it is!

the script is as follows:

#!/bin/sh
#
#
IPTABLES="/sbin/iptables"
OUTSIDE=ppp0
# multiple network intefaces on router so:
INSIDE=eth+
#INSIDE=eth1
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
#
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 5/minute -j LOG --log-prefix TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N internal
$IPTABLES -A internal -m limit --limit 5/minute -j LOG --log-prefix Internal:
$IPTABLES -A internal -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 5/minute -j LOG --log-prefix Firewalled:
$IPTABLES -A firewalled -j DROP
#
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
#
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 443 -j DNAT --to 192.168.42.1
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 5190 -j ACCEPT
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
#
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#
# $IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j ACCEPT
#
# NEW CODE HERE! ##################################################
#
$IPTABLES -A INPUT -i $INSIDE -s 192.168.42.8 -d 192.168.42.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.43.7 -d 192.168.42.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -s 192.168.43.7 -d 192.168.43.1 -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j internal
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 5190 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 443 -j ACCEPT
#
$IPTABLES -A INPUT -j firewalled
 
Old 03-13-2003, 08:20 AM   #2
dorian33
Member
 
Registered: Jan 2003
Location: Poland, Warsaw
Distribution: LFS, Gentoo
Posts: 591

Rep: Reputation: 32
Hi. I think it is normal since iptable-save dumps the iptable rules to the screen. Use
iptable-save > your_file
to catch new settings to the file. The real name (and path) of 'your_file' should agree with the name of the file used in the init script (iptable-restore command parameter at /etc/rc.d/init.d/firewall script)

Last edited by dorian33; 03-13-2003 at 08:21 AM.
 
Old 03-13-2003, 08:35 AM   #3
Smerk
Member
 
Registered: Oct 2002
Location: Cairnsian, Oz
Distribution: Debian testing/unstable, knoppix/debian fudged router!
Posts: 169

Original Poster
Rep: Reputation: 30
Eggsellent!

thanks for that, I must have know that at some stage, because having looked in the location where the file is I found some other copies of the file that I must have been messing with...

looks like my old brain is getting a bit leaky.
 
Old 03-13-2003, 11:04 AM   #4
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Good script but needs more commenting...
Where you set up logging, I am not sure if it's important but usually there are quotation marks around the log prefix "INPUT :"
Not sure if it matters, it just kind of stood out.

Last edited by Pcghost; 03-13-2003 at 11:07 AM.
 
Old 03-13-2003, 11:39 AM   #5
Smerk
Member
 
Registered: Oct 2002
Location: Cairnsian, Oz
Distribution: Debian testing/unstable, knoppix/debian fudged router!
Posts: 169

Original Poster
Rep: Reputation: 30
oops..
I hacked out all the commenting to cut down on post size, sorry
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Save iptables filters yhus Red Hat 3 07-30-2005 05:01 AM
Where should I save this iptables? wardialer Linux - Newbie 2 02-12-2005 05:10 AM
Persistent iptables? Where to save the script? GbyteSupport Linux - Networking 1 12-13-2004 01:41 PM
iptables save rules Osten Debian 1 02-10-2004 05:53 PM
Iptables-save ??? gruger Linux - Security 3 05-23-2003 07:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration